A critical security flaw in CurseForge's desktop launcher allowed attackers to execute arbitrary code on millions of systems by exploiting unauthenticated WebSocket connections. The vulnerability enabled malicious websites to trigger modpack launches with attacker-controlled JVM arguments, bypassing origin checks. After a coordinated disclosure process, CurseForge patched the issue in November 2025.